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Abstract 

We extend Shi's 2002 quantum lower bound for collision in r-to-one 
functions with n inputs. Shi's bound of Q,{{n/rY^^) is tight, but his proof 
applies only in the case where the range has size at least 3n/2. We give a 
modified version of Shi's argument which removes this restriction. 

1 Introduction 

How many quantum queries does it take to find a collision? Many crypto- 
graphic systems depend on the difficulty of finding collisions, so it is important 
to understand how difficult this problem may prove for a quantum computer. 

Obviously, it may be easier to find collisions in some functions then others. 
We are interested in a black-box argument: our only access to the function is as 
a quantum oracle. We are promised that the function is r-to-one. (We require 
that r be a divisor of n, the size of the input space.) Brassard, H0yer, and Tapp 
P] gave a quantum algorithm which requires 0((n/r)^/'^) quantum queries, an 
improvement over the 0((n/r)^/^) classical queries needed. In this note, we are 
concerned with the matching lower bound. 

For a lower bound, it is easier to consider a decision problem: the input 
function is guaranteed to be either one-to-one or r-to-one, and our task is to 
determine which case holds. Aaronson jT| proved the first significant lower 
bound: 17((n/r)i/5) queries. 

More recently, Shi |2| proved a lower bound of il((n/r)^/'^), given the addi- 
tional condition that the size of the range of the function is at least 3n/2. (In 
the case where the range is only n, Shi provides a lower bound of S7((n/r)^/'*)). 
Shi's proof is a novel application of the methods of Nisan and Szegedy 0] to the 
case where one cannot fully symmetrize the multivariate polynomials. 

Our main result is a new version of Shi's theorem, but without the additional 
constraint on the size of the range: 

Theorem 1 Let 7i > and r > 2 be integers with r | n, and let a function from 
[n] to [n] be given as an oracle with the promise that it is either one-to-one or 
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r-to-one. Then any quantum algorithm for distinguishing these two cases must 
evaluate the function ((n/r)^/'^) times. 

The argument is very similar to that of Shi. As stated above, we remove the 
requirement that the range be at least 37z/2. Our proof is conceptually simpler 
for other reasons: 

1. The natural automorphism group on the set of functions from [n] to [A^] 
is Sn X Sn- Our argument symmetrizes with respect to the entire group. 

2. We avoid the explicit introduction of the problem Half-r-to-one. 

2 Preliminaries 

2.1 Functions as quantum oracles. 

Let n, > be integers. Let T{n, N) be the set of functions from [n] to [N]. 

Our functions are given to us as a quantum oracle. We can perform a 
transformation Of, which applies / to the contents of some of the quantum 
state: 

Of\i,j,z)^\tJ{t)+j {mod N),z). 

Here z is a placeholder for the unaffected portion of the quantum state. 

The query complexity of a quantum algorithm is the number of times it calls 
O f . We think of our algorithm as alternating between T + 1 unitary operators 
and T applications oiOf. 

Let Sij{f) be 1 when f{i) = j. Then, after T queries, the amplitude of 
each quantum base state is a degree-T polynomial in these Sij{f). Hence, the 
acceptance probability P{f ) is a polynomial over Sij of degree at most 2T. This 
connection between quantum complexity and polynomial degree is due to Beals, 
et al. E). 

Note that this polynomial P{f) is constrained to be in the interval [0, 1] 
whenever the dij correspond to a valid input; i.e., 

Vi,j, 5.,, €{0,1} 

Vz, ^4,-1 (1) 

i 

The connection between polynomial degree and query complexity was first 
made by Nisan and Szegedy 0]. In their applications, they symmetrized over 
all permutations of the variables, reducing the multivariate polynomial to a 
univariate polynomial. They then apply results from approximation theory to 
prove a lower bound on the degree of the polynomial. Beals, et al. [2| followed 
the same approach. 

A nice, general version of the approximation theory results was shown by 
Paturi Following Shi we use a slight modification of Paturi's theorem: 
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Theorem 2 (Paturi) Let q{a) E M.[a] be a polynomial of degree d. Let a and 
b be integers, a < b, and let ^ g [a, 6] be a real number. If 

1- kl*)! l£ ci for all integers i e [a, fo], and 

2- k(LCJ) ~ l{0\ ^ ^2 for some constant c > 0, 
then 

where the hidden constant depends on ci and C2. 

Note that, if the conditions of the theorem are met for any ^, we have 
d = n{^/b — a). If they are met for some ^ ~ (a + b)/2, then d — il{b — a). 

In our setting, the automorphism group for the variables Sij is 5'„ x S^. 
If we symmetrize with respect to this group, we do not immediately obtain a 
univariate polynomial. Hence, we will have to work harder to apply Theorem|21 

For a £ Sn, T e SN,we define L^ : T{n, N) T{n, N) by 

r^(/) = ro/oa. 

Let P{f) be an acceptance polynomial as above. We can write P as a sum 
Cslsif), where S ranges over subsets of [n] x [N], and 

By we may assume that each pair («, j) G S has a distinct value of i; we 
thus write 

t 

/5-nn'5v.- (2) 

fc=i ieSk 

where the sets Sk are disjoint, and J2k is the degree of the monomial. 



2.2 Some special functions 

We now define a collection of functions which are a-to-one on part of the domain, 
and &-to-one on the rest of the domain. (These will enable us to interpolate 
between one-to-one and r-to-one functions.) 

Fix > n > 0. We say that a triple (m, a, b) of integers is valid if < 
m < n, a I m, and b \ (n — m). For any such valid triple, we have a function 
fm.a.b G ^{n,N), given by 

_ j \i/a] 1 <i <m, 

■^"'•"•'''^ \N-l{n-i)/b\ m<i<n. 

So fm,a,h is a-to-one on m points, and &-to-one on the remaining n — m points. 
(Since N > n, the two parts of the range do not overlap.) 

Note that our fm.a.b plays the same role as Shi's /m,g, with a ~ g and b = 2. 

We now examine the behavior of fm.a.b after we symmetrize by all of Sn x Sn- 
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Lemma 3 Let P{f) be a degree-d polynomial in 6i,j . For a valid triple (m, a, b), 
define Q{m, a, b) by 

0(m,a,6) =E,,, [P (r^(/„,„,b))] . 
Then Q is a degree-d polynomial in m, a, 6. 

Definition 4 For integers k, i, let i'' denote the faUing power £{l — 1) ■ ■ ■ {£ — 
k + 1). 

Proof of Lemma l3l It sufBces to prove the lemma in the case where P is 
a monomial Is- We write Is in the form (0); then d = \S\. We write Sk = \Sk\- 

For each subset U C [t], let Au be the following event: for each k £ U, 
o'~^Uk) < m/a; for each k ^ U, <J~^ijk) > N — {n — m) /b + 1. 

Clearly the events Ajj are disjoint. If Is (Trifm.a.b)) is nonzero, then every 
must lie in the range of fm,a,b, so some event Ajj must occur. Hence, 

we write 

Q{m,a,b)^ ^ Pi{Au)Qu{m,a,b), 

UC[t] 

where 

Qu{m, a, b) = E,^r [Is iK{fm,a,b)) \ Au] . 
Choose some U, and let u = \U\. Then Pr{Aij) is given by 



Pt{Au) = 




which is a rational function in m, a, b. The numerator has degree t, and the 
denominator is a^b*^'^. 
Also, 

Quim,a,b)^^l[a^l[b^. 

k£U k^U 

This is a polynomial in a, b of degree d; furthermore Qu is divisible by a"b*~". 

Hence, for each U, Pr(A[/)(5[/ is a degree-d polynomial in m, a, 6. Therefore 
Q{m, a, 6) is itself a degree-d polynomial. This concludes the lemma. I 

3 Main Proof 

We are now ready to prove Theorem ^ 

Proof of Theorem ^ Let A be an algorithm which distinguishes one-to- 
one from r-to-one in T queries, and let P{f) be the corresponding acceptance 
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probability. P{f) is a polynomial in 5ij of degree at most 2T. Let Q{m,a,b) 
be formed from P as in Lemma|31 and let d = degQ; we have d < 2T. 

For any cr, r, we know that T'^{fm,a,b) is a valid function. If a = 6, this 
fimction is a-to-one. We conclude the following: 

1. < Q{m, a,b) < 1 whenever (m, a, b) is a valid triple. 

2. < Q{m, 1, 1) < 1/3 for any m. 

3. 2/3 < Q{'m,r,r) < 1 for any m where r \ m. 

The remainder of the proof consists of proving that degQ = ri(n/r)^/'^. For 
simplicity of exposition, we begin with the case r — 2. 

Let M = 2[n/4j. We ask: is Q(M, 1,2) > 1/2? In other words: does our 
algorithm accept (at least half the time) an input which is one-to-one on half 
the domain, and two-to-one on the other half? 

Case I: Q(M, 1, 2) > 1/2. Let c be the least integer for which \Q{M, 1, c)| > 
2. Then we have Q{M, l,x) between —2 and 2 for all positive integers x < c, 
and |Q(Af, 1, 1) - Q{M, 1, 2)| > 1/6. By Theorem^ we have d = n{^/^). 

Now, we consider the polynomial h{i) = Q{ci, 1, c). For any integer i in the 
range < i < [n/c\, we have < h{i) < 1. But \h{M/c)\ > 2. We conclude, 
by Theorem El that d = n{n/c). 

Case II: Q{M, 1,2) < 1/2. Now, let c be the least even integer for which 
\Q{M,c,2)\ > 2. As in Case I, we first get d = fl(-y/c). Then, by considering 
h{i) = Q{ci, c, 2), we obtain d — fl(n/c). 

In either case, by combining d = and d = fl{n/c), we get d^ = fl{n), 

or d = n{n^/^). 

For general r, the setup is almost identical: we now split into cases based on 
whether Q{m, 1, r) > 1/2? (Note that, in Case II, we let c be the least multiple 
of r for which Q{M, c, r) > 2.) We first get d = Q{^/c/r), and then d = fl{n/c), 
yielding d = n((n/r)i/3). ■ 
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